The CTA’s Third Rule: Coming Soon?

Since the enactment of the Corporate Transparency Act (CTA) in 2021, banks have been anticipating that changes to beneficial ownership requirements. The CTA requires FinCEN to issue three rules, two of which have now been finalized.

The Reporting Rule was issued in September 2022 and became effective on January 1, 2024, although existing entities have until 2025 to comply. Entities formed in 2024 have 90 days after formation to comply. This rule requires entities to report their beneficial ownership information to FinCEN. FinCEN has issued a small entity compliance guide and FAQs to assist entities in complying with the Reporting Rule.

The second rule is the Access Rule, which governs access to and use of BOI. This rule, which was finalized in December 2023 and became effective February 20, 2024, governs access to the information collected by FinCEN under the Reporting Rule. It allows BOI to be disclosed to financial institutions in support of their compliance with customer due diligence requirements and requires financial institutions accessing this information to protect the information with the same level of security that applies to customer nonpublic personal information (NPPI) under the Gramm-Leach-Bliley Act (GLBA). It also imposes civil (and in some cases, criminal) penalties for unauthorized disclosure of BOI information. It does not, however, modify banks’ customer due diligence requirements, so although banks are authorized to access the information to meet their CDD requirements, those requirements do not yet require banks to access the information:

The Access Rule does not create a new regulatory requirement for banks to access BOI from the BO IT System or a supervisory expectation that they do so. Therefore, the Access Rule does not necessitate changes to Bank Secrecy Act (BSA)/anti-money laundering (AML) compliance programs designed to comply with the existing Customer Due Diligence rule (the “current CDD Rule”) and other existing BSA requirements, such as customer identification program requirements and suspicious activity reporting. Interagency Statement for Banks – On the Issuance of the Access Rule (fincen.gov)

The third rule, dubbed the Conforming Rule, will revise the current CDD Rule and, presumably, require financial institutions to access the information gathered under the Reporting Rule (and to do so in compliance with the Access Rule). Although originally slated to be released in 2023, the rule has not yet been proposed. The Treasury Department indicated in its recent agenda that FinCEN would release a proposed Conforming Rule in October 2024 with a 60-day comment period ending in December 2024. Assuming FinCEN adheres to this schedule, it seems unlikely that any changes to bank’s beneficial ownership procedures will become effective before 2026.

To throw another wrench in the works, a federal court ruled on March 1, 2024 in National Small Business United v. U.S. Dept. of Treasury that the CTA is unconstitutional. The appeal of that ruling is still pending with the Eleventh Circuit and scheduled for oral argument on September 27, 2024. Given the possibility that this case will end up going to the Supreme Court, it appears unlikely that this matter will be fully resolved when FinCEN issues the final Conforming Rule.

As we wait for further developments in this area, there are a few pro-active measures that banks can take to prepare for upcoming changes:

  • Advise customers. FinCEN’s website provides information that may be appropriate for banks to distribute or make available to new or existing business customers to help ensure that they are aware of the requirements and, where appropriate, obtain guidance from their own counsel.
  • Alert customers to fraud risks. FinCEN has reported that scams purporting to represent FinCEN or assist with BOI reporting appear to be soliciting information from individuals and entities. As with other potential scams, banks may serve as a trusted source of information encouraging customers to be skeptical of these types of communications.
  • Review security requirements. Financial institutions will presumably be required to access BOI information and ensure security of that information in conformance with the Access Rule. Banks looking to get ahead of the curve may want to start looking at incorporating BOI their training on information security and identifying changes that may be required in related procedures and policies to conform with Access Rule requirements. It may also be a good time to review existing information security protocols, including those of third parties, to confirm compliance with GLBA requirements.

As always, Compliance Alliance will keep members informed as developments unfold and, in the meantime, you are welcome to contact the Compliance Hub Hotline with any questions or concerns you may have.